aboutsummaryrefslogtreecommitdiff
path: root/lib/libgssapi/gss_acquire_cred.3
diff options
context:
space:
mode:
authorDoug Rabson <dfr@FreeBSD.org>2005-12-29 14:40:22 +0000
committerDoug Rabson <dfr@FreeBSD.org>2005-12-29 14:40:22 +0000
commitc0b9f4fe659b6839541970eb5675e57f4d814969 (patch)
treef226da354a25653f837708c3ecef3468ea981824 /lib/libgssapi/gss_acquire_cred.3
parent66c6b326543894776c17486b5932438e9dd098c9 (diff)
downloadsrc-c0b9f4fe659b6839541970eb5675e57f4d814969.tar.gz
src-c0b9f4fe659b6839541970eb5675e57f4d814969.zip
Add a new extensible GSS-API layer which can support GSS-API plugins,
similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
Notes
Notes: svn path=/head/; revision=153838
Diffstat (limited to 'lib/libgssapi/gss_acquire_cred.3')
-rw-r--r--lib/libgssapi/gss_acquire_cred.3238
1 files changed, 238 insertions, 0 deletions
diff --git a/lib/libgssapi/gss_acquire_cred.3 b/lib/libgssapi/gss_acquire_cred.3
new file mode 100644
index 000000000000..d108875e71ad
--- /dev/null
+++ b/lib/libgssapi/gss_acquire_cred.3
@@ -0,0 +1,238 @@
+.\" -*- nroff -*-
+.\"
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\"
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" English.
+.\"
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\"
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Os
+.Dt GSS_ACQUIRE_CRED 3 PRM
+.Sh NAME
+.Nm gss_acquire_cred
+.Nd Obtain a GSS-API credential handle for pre-existing credentials
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Sh SYNOPSIS
+.In "gssapi/gssapi.h"
+.Ft OM_uint32
+.Fo gss_acquire_cred
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t desired_name"
+.Fa "OM_uint32 time_req"
+.Fa "const gss_OID_set desired_mechs"
+.Fa "gss_cred_usage_t cred_usage"
+.Fa "gss_cred_id_t *output_cred_handle"
+.Fa "gss_OID_set *actual_mechs"
+.Fa "OM_uint32 *time_rec"
+.Fc
+.Sh DESCRIPTION
+Allows an application to acquire a handle for a pre-existing
+credential by name.
+GSS-API implementations must impose a local
+access-control policy on callers of this routine to prevent
+unauthorized callers from acquiring credentials to which they are not
+entitled.
+This routine is not intended to provide a "login to the
+network" function, as such a function would involve the creation of
+new credentials rather than merely acquiring a handle to existing
+credentials.
+Such functions, if required, should be defined in
+implementation-specific extensions to the API.
+.Pp
+If desired_name is
+.Dv GSS_C_NO_NAME ,
+the call is interpreted as a
+request for a credential handle that will invoke default behavior
+when passed to
+.Fn gss_init_sec_context
+(if cred_usage is
+.Dv GSS_C_INITIATE
+or
+.Dv GSS_C_BOTH )
+or
+.Fn gss_accept_sec_context
+(if cred_usage is
+.Dv GSS_C_ACCEPT
+or
+.Dv GSS_C_BOTH ).
+.Pp
+Mechanisms should honor the
+.Fa desired_mechs
+parameter,
+and return a credential that is suitable to use only with the
+requested mechanisms.
+An exception to this is the case where one underlying credential
+element can be shared by multiple mechanisms;
+in this case it is permissible for an implementation to indicate all
+mechanisms with which the credential element may be used.
+If
+.Fa desired_mechs
+is an empty set, behavior is undefined.
+.Pp
+This routine is expected to be used primarily by context acceptors,
+since implementations are likely to provide mechanism-specific ways
+of obtaining GSS-API initiator credentials from the system login
+process.
+Some implementations may therefore not support the acquisition of
+.Dv GSS_C_INITIATE
+or
+.Dv GSS_C_BOTH
+credentials via
+.Fn gss_acquire_cred
+for any name other than
+.Dv GSS_C_NO_NAME ,
+or a name produced by applying either
+.Fn gss_inquire_cred
+to a valid credential, or
+.Fn gss_inquire_context
+to an active context.
+.Pp
+If credential acquisition is time-consuming for a mechanism,
+the mechanism may choose to delay the actual acquisition until the
+credential is required
+(e.g. by
+.Fn gss_init_sec_context
+or
+.Fn gss_accept_sec_context ).
+Such mechanism-specific implementation
+decisions should be invisible to the calling application;
+thus a call of
+.Fn gss_inquire_cred
+immediately following the call of
+.Fn gss_acquire_cred
+must return valid credential data,
+and may therefore incur the overhead of a deferred credential acquisition.
+.Sh PARAMETERS
+.Bl -tag
+.It desired_name
+Name of principal whose credential should be acquired.
+.It time_req
+Number of seconds that credentials should remain valid.
+Specify
+.Dv GSS_C_INDEFINITE
+to request that the credentials have the maximum
+permitted lifetime.
+.It desired_mechs
+Set of underlying security mechanisms that may be used.
+.Dv GSS_C_NO_OID_SET
+may be used to obtain an implementation-specific default.
+.It cred_usage
+.Bl -tag -width "GSS_C_INITIATE"
+.It GSS_C_BOTH
+Credentials may be used either to initiate or accept security
+contexts.
+.It GSS_C_INITIATE
+Credentials will only be used to initiate security contexts.
+.It GSS_C_ACCEPT
+Credentials will only be used to accept security contexts.
+.El
+.It output_cred_handle
+The returned credential handle.
+Resources
+associated with this credential handle must be released by
+the application after use with a call to
+.Fn gss_release_cred .
+.It actual_mechs
+The set of mechanisms for which the credential is valid.
+Storage associated with the returned OID-set must be released by the
+application after use with a call to
+.Fn gss_release_oid_set .
+Specify
+.Dv NULL if not required.
+.It time_rec
+Actual number of seconds for which the returned credentials will
+remain valid.
+If the implementation does not support expiration of credentials,
+the value
+.Dv GSS_C_INDEFINITE
+will be returned.
+Specify NULL if not required.
+.It minor_status
+Mechanism specific status code.
+.El
+.Sh RETURN VALUES
+.Bl -tag
+.It GSS_S_COMPLETE
+Successful completion.
+.It GSS_S_BAD_MECH
+Unavailable mechanism requested.
+.It GSS_S_BAD_NAMETYPE
+Type contained within desired_name parameter is not supported.
+.It GSS_S_BAD_NAME
+Value supplied for desired_name parameter is ill formed.
+.It GSS_S_CREDENTIALS_EXPIRED
+The credentials could not be acquired Because they have expired.
+.It GSS_S_NO_CRED
+No credentials were found for the specified name.
+.El
+.Sh SEE ALSO
+.Xr gss_init_sec_context 3 ,
+.Xr gss_accept_sec_context 3 ,
+.Xr gss_inquire_cred 3 ,
+.Xr gss_inquire_context 3 ,
+.Xr gss_release_cred 3 ,
+.Xr gss_release_oid_set 3
+.Sh STANDARDS
+.Bl -tag
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+.El
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+John Wray, Iris Associates